Francesco Molfese // Bloghttps://francescomolfese.it/en/
Thu, 04 Jun 2020 14:54:25 +0000en
hourly
1 HTTPS://wordpress.org/?v=5.4.1HTTPS://i0.wp.com/francescomolfese.it/wp-content/uploads/2017/08/cropped-LogoFM.jpg?fit=32%2C32&SSL = 1Francesco Molfese // Bloghttps://francescomolfese.it/en/
3232128985316Azure Networking: how to secure Window Virtual Desktop deploymentshttps://francescomolfese.it/en/2020/06/azure-networking-come-mettere-in-sicurezza-i-deployments-di-window-virtual-desktop/
Thu, 04 Jun 2020 14:54:21 +0000https://www.cloudcommunity.it/?p=25806-enWindows Virtual Desktop is a full desktop and application virtualization service available in Azure that, in a period like this, where work from home has increased exponentially, has seen wide adoption. Enabling your employees to work from home requires organizations to address major changes in their IT infrastructure […]

]]>Windows Virtual Desktop is a full desktop and application virtualization service available in Azure that, in a period like this, where work from home has increased exponentially, has seen wide adoption. Enabling your employees to work from home requires organizations to address major changes in their IT infrastructure in terms of capacity, network, security and governance. The Virtual Desktop Infrastructure solution (VDI) in Azure can help business companies effectively address these evolutions, but you need to protect access to these VDI environments appropriately. In questo articolo viene descritto come è possibile strutturare il networking in Azure per proteggere in modo efficace i deployment di Windows Virtual Desktop.

In order to adopt the right approach, it is necessary to evaluate which are the components of Windows Virtual Desktop (WVD) and their iterations. The service is distributed according to a shared responsibility model and sees:

Managed Azure Services responsible for piloting connections between RD clients and Windows virtual machines in Azure. These are the server roles that are required for this environment, such as Gateways, Web Access, Brokers and Diagnostics, in modalità totalmente gestita da Microsoft.

In a Hub-Spoke network architecture, theHub is a virtual network on Azure that serves as the point of connectivity to the on-premises network. This connectivity can be done through VPN Site to site or through ExpressRoute. TheSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads. A good approach would therefore be to structure Azure networking by adopting this network topology right away and place the Windows Virtual Desktop virtual machines on a Spoke network. This network architecture is also designed to place in the Hub network a network virtual appliance (NVA) to control network flows centrally. Control of network communications can be assigned to a network virtual appliance (NVA) or to Azure Firewall, Microsoft's managed and fully integrated public cloud service, che consente di mettere in sicurezza le risorse presenti sulle Virtual Network di Azure.

However, in order for the service to work properly, you must provide access from WVD machines, attested on the spoke virtual network, towards specific Fully Qualified Domain Names (FQDNs). The full list of addresses required for Windows Virtual Desktop to work can be found in this Microsoft's document. To simplify this configuration, Azure Firewall has the appropriate tag FQDN called WindowsVirtualDesktop, that you can use in a specific application rule. In this regard, it is good to specify that this tag does not include access to the storage and service bus accounts required for Windows Virtual Desktop pool hosts. As deployment-specific URLs, you can go to allow https traffic on time to specific URLs, or you can use the wildcard for the following FQDNs: *xt.blob.core.windows.net, *eh.servicebus.windows.net and *xt.table.core.windows.net. Questi FQDN tag sono presenti anche nelle Virtual Appliance di terze parti per facilitare la configurazione.

Conclusions

One of the first aspects to consider when you implement solutions in the cloud is the network architecture to be adopted. Establishing the most appropriate network topology from the outset allows you to have a winning strategy and avoids being in the condition of having to migrate workloads later, to adopt different network architectures, with all the complications that ensue. The Hub-Spoke network architecture also lends itself well for Windows Virtual Desktop deployment scenarios, in quanto consente di ottenere un elevato livello di controllo sugli aspetti legati alla sicurezza di rete e di effettuare una segregazione del traffico di rete adottando Azure Firewall oppure Network Virtual Appliance di terze parti.

]]>26631Azure IaaS and Azure Stack: announcements and updates (May 2020 – Weeks: 21 and 22)https://francescomolfese.it/en/2020/06/azure-iaas-and-azure-stack-announcements-and-updates-2020-weeks-21-22/
Wed, 03 Jun 2020 07:59:18 +0000https://francescomolfese.it/?p=26600-enThis series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks. Azure Compute Azure DevTest Labs updates New updates are available in Azure DevTest Labs: Azure DevTest Labs is now available in the Switzerland North and […]

Storage

Object replication public preview for Azure Blob storage

Object replication is a new capability for block blobs that lets you replicate your data from your blob container in one storage account to another anywhere in Azure. Object replication unblocks a new set of common replication scenarios:

Azure Ultra Disk customers already benefit from server-side encription (SSE) with platform-managed keys for Azure Managed Disks enabled by default. SSE with customer-managed keys (CMK) improves on platform-managed keys by giving you control of the encryption keys to meet your compliance needs. SSE with CMK is integrated with Azure Key Vault, which provides highly available and scalable secure storage for your keys backed by hardware security modules (HSM). You can either bring your own keys (BYOK) to your key vault or generate new keys in the Key Vault.

Networking

Azure Firewall updates

New key features are now available in Azure Firewall:

Forced tunneling: configure a default route (0.0.0.0/0) on the AzureFirewallSubnet or publish a default route to the firewall over BGP, to send all traffic to on-premises or nearby NVA.

SQL FQDN filtering: filter outbound SQL traffic using application rules. Support is for SQL proxy mode only. Redirect mode support is tentatively planned for later in 2020.

These features are included in the Azure Firewall standard SKU, so there is no change in the price.

Network service tiers with new Routing Preference option in previewUsing the new “Routing Preference” option in Azure, customers can choose how their traffic is routed between Azure and the internet. Prior to making “routing preferences” customer selectable, Azure exclusively kept and optimized customer traffic over Azure’s global network. The introduction of this new competitive egress tier adds a secondary option for solutions that do not require the premium predictability and performance of Microsoft’s global network. Instead it will allow customers to further architect their traffic to their needs and allow routing to the public internet as quickly as possible. Customers will have the option to select routing preference while creating a public IP address for an IaaS resource such as a Virtual Machine, Virtual Machine Scale Set or internet-facing Load Balancer, and for their Azure storage account.

Azure Peering Service is generally available

Peering Service is a networking capability that enhances customer connectivity to Microsoft cloud services such as Office 365, Dynamics 365, software as a service (SaaS) services, Azure, or any Microsoft services accessible via the public internet. Microsoft has partnered with internet service providers (ISPs), internet exchange partners (IXPs), and software-defined cloud interconnect (SDCI) providers worldwide to provide reliable and high-performing public connectivity with optimal routing from the customer to the Microsoft network.

Enterprises looking for internet-first access to the cloud, or considering SD-WAN architecture, or with high usage of Microsoft SaaS services need robust and high-performing internet connectivity. Customers can work with their Telco/carrier to take advantage of Peering Service, which is now generally available.

Key customer features include:

Best public routing (optimum route hops/AS hops) over the internet to Microsoft cloud services for optimal performance and reliability.

Ability to select the preferred service provider to connect to the Microsoft cloud.

Azure Stack

Azure Stack expands solutions and partner ecosystemA host of new Azure Stack portfolio partners are accelerating time to value for hybrid customers today:

The Aware Group, which builds IoT Edge modules that use AI to detect anomalies and perform noise classification, is now delivering modules andsolutions tailored to the industry.

Avanade is offering customers a fully managed Azure Stack Hub leveraging HPE’s Edgeline EL8000, a small form factor that does not require external cooling, making it ideal for locations like retail or manufacturing, where a datacenter may not be available on site.

CloudAssert is providing an enterprise cloud-based solution streamlining the management and operations of multiple Azure Stack Hub deployments, including resources located on-premises and public clouds, with a single pane of glass.

Microsoft is also launching the open-source Fast Healthcare Interoperability Resources (FHIR) server available now for Azure Stack Hub and Azure Stack Edge. Customers can now quickly connect existing data sources such as electronic health record systems or research databases at the edge while addressing compliance and regulatory requirements.

Finally, now available on GitHub, manufacturing customers can get started with an AI solution at the edge that combines the power of Azure Stack Hub and Azure Stack Edge with computer vision to modernize a factory floor.

ManagedIQ (CloudForms) (public preview): ManagedIQ, formerly known as CloudForms, now allows cloud operators to manage their resources on Azure Stack Hub and use RedHat technical tooling to manage the Azure Stack Hub. ManagedIQ is a supported platform from IBM and RedHat.

Windows containers and Azure Container Networking Interface in Azure Kubernetes Service (AKS) engine deployed Kubernetes clusters will soon be in private preview.The Azure Container Networking Interface plug-in lets you deploy and manage your own Kubernetes clusters with native Azure networking capability by default. This release, which will come as an update to the Azure Kubernetes Service engine, expands the capabilities of Kubernetes clusters on Azure Stack Hub.

Azure Stack Hub supports cross-platform compatibility on PowerShell

Azure Stack Hub now supports cross-platform compatibility on PowerShell and ensures hybrid consistency with Azure. Azure Stack Hub will utilize Az modules with new resource providers from Azure IoT Hub, Azure Stack Edge, and EventHub. This enables full cross-compatibility with Azure and Azure Stack Hub using PowerShell and PowerShell Core. Install PowerShell and connect to Azure Stack Hub on MacOs. This is available through the Az PowerShell installer.

]]>26600Azure Management services: What's new in May 2020https://francescomolfese.it/en/2020/05/azure-management-services-whatsnew-2020-05/
Fri, 29 May 2020 15:05:59 +0000https://www.cloudcommunity.it/?p=25763-enTo stay constantly updated on news regarding Azure management services, our community releases this monthly summary, allowing you to have an overview of the main new features of the month. In this article you will find the news, presented in a synthetic way and accompanied with the necessary references to be able to conduct further studies. The following diagram shows the different […]

]]>To stay constantly updated on news regarding Azure management services, our community releases this monthly summary, allowing you to have an overview of the main new features of the month. In this article you will find the news, riportate in modo sintetico e accompagnate dai riferimenti necessari per poter effettuare ulteriori approfondimenti.

The following diagram shows the different areas related to management, which are covered in this series of articles, per poter rimanere aggiornati su questi temi ed effettuare al meglio il deployment ed il mantenimento delle applicazioni e delle risorse.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor

New version of the agent for Linux systems

A new version of the Log Analytics agent has been released this month for Linux systems. The main innovations introduced are:

Miglioramenti di stabilità e affidabilità.

Migliore supporto per Azure Arc for Server.

Conformità FIPS.

Supporto per RHEL 8.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 17 August 2020, postponing the date previously set to 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 17 August 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Feature extensionsof Azure Monitor

The following enhancements have been made in Azure Monitor that expand its functionality and make it an increasingly complete solution:

Microsoft has added soft-delete workspace functionality to make it easier to recover if necessary. In fact, in the event of a cancellation, the workspace will go into a soft-delete state to allow it to be restored if necessary, including data and connected agents, within 14 days. This behavior can be circumvented and permanently deleted the workspace. To avoid the incorrect elimination of the workspaces from the Azure portal, a specific section has been added where you can consult how many solutions are installed and the relative daily data volume received in the last 7 giorni per tipologia di dato.Restoring the workspace, può ora avvenire direttamente dal portale Azure.

Azure Service Health now also reports emerging issues in the Azure portal. An emerging problem is a situation in which Azure is aware of a widespread outage but may not yet be fully aware of the extent and amplitude. Previously, emerging problems were only available in the Azure Status page.

Configure

Azure Automation

TLS 1.2 Enforcement

Starting from September 1st 2020, Azure Automation will impose the presence of Transport Layer Security (TLS) version 1.2 or later, per tutti gli endpoint HTTPS esterni.

Secure

Azure Security Center

Changes to the just-in-time service (JIT) virtual machine (VM) Access

In the just-in-time service (JIT) virtual machine (VM) access have been made the following changes:

The recommendation advising to enable JIT on a VM has been renamed by “Just-in-time network access control should be applied on virtual machines” in “Management ports of virtual machines should be protected with just-in-time network access control”.

Protect

Azure Backup

SAP HANA backup for VM Red Hat Enterprise Linux

Azure Backup includes protecting SAP HANA databases on Red Hat Enterprise Linux virtual machines (RHEL). This feature allows you to have integrated and without having to provide a specific backup infrastructure to protect SAP HANA databases on RHEL, one of the most commonly used operating systems in these scenarios.

Protect against accidental deletion of Azure file shares

To provide greater protection against cyberattacks and accidental deletion, Azure Backup has added an extra layer of security to the Azure file shares snapshot management solution. If you delete File Shares, content and its recovery points (Snapshots) are retained for a configurable period of time, enabling full recovery without data loss. When you configure protection for a file share, Azure Backup enables soft-delete functionality at the account storage level with a retention period of 14 days, which is configurable according to your needs. This setting determines the time window in which you can restore the contents and snapshots of your file shares after any accidental deletion operations. Once the share file is restored, i backup riprendono a funzionare senza la necessità di effettuare ulteriori configurazioni.

Azure Site Recovery

Zone-to-zone disaster recovery available in new regions

Zone-to-Zone DR is now also available in the Southeast Asia and UK South regions. With this Azure Site Recovery feature, called zone-to-zone DR, there's an opportunity to create disaster recovery plans (DR) for virtual machines (VM), replicating them between different Azure Availability Zones. If a single Azure Availability Zone is compromised, sarà possibile eseguire il failover delle macchine virtuali in una zona diversa all’interno della stessa area e accedervi dalla Availability Zone secondaria.

Introduced support for proximity groups

Azure Site Recovery has introduced support for proximity placement groups (PPGs). With this feature, it's a, any virtual machine (VM) hosted within a PPG can be secured using Azure Site Recovery. By enabling replication of that VM, you can provide a PPG in the secondary region as an additional parameter. When a failover process is activated, Site Recovery inserirà la VM nel PPG di destinazione fornito dall’utente.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

]]>26617Azure Networking: IP address management for outbound traffic from Azurehttps://francescomolfese.it/en/2020/05/azure-networking-gestione-degli-indirizzi-ip-per-il-traffico-in-uscita-da-azure/
Wed, 20 May 2020 13:12:27 +0000https://www.cloudcommunity.it/?p=25774-enWhen designing architectures in Azure, it is often important to accurately determine which public IP addresses are used for outbound network traffic. A commonly required requirement is to ensure that outbound traffic from the Azure virtual network occurs with established public IP addresses. This requirement is typically due to the need to […]

]]>When designing architectures in Azure, it is often important to accurately determine which public IP addresses are used for outbound network traffic. A commonly required requirement is to ensure that outbound traffic from the Azure virtual network occurs with established public IP addresses. This requirement is typically due to the need to explicitly authorize traffic from Azure on other resources. This article describes how in Azure you can govern this aspect, quali sono gli elementi da prendere in considerazione e quali novità sono state recentemente introdotte in questo ambito.

When you need to fix the Public IP address for the outbound traffic of a single virtual machine, the easiest method is to assign a Public IP address to it. This IP address will be used for inbound traffic, if necessary, and for outbound traffic. Through Network Security Groups (NSGs), the primary tool to control network traffic in Azure, è possibile filtrare le comunicazioni con apposite regole di deny e permit.

This approach is recommended if there is a real need to use a Load Balancer to balance inbound network traffic across multiple virtual machines. This also allows you to limit the number of public IPs required, configurando più macchine virtuali dietro allo stesso load balancer.

Using Azure Firewall

If you have Azure Firewall, if network traffic is appropriately channeled to this component through specific routes, you are sure that it will go out to the Internet using the Public IPs assigned to the Azure Firewall instance. You can associate to Azure Firewall up to 250 public IP addresses, However, consider that the Azure Firewall Source Public IP address used for connections is currently randomly chosen from the assigned IPs. This is something to consider when you need specific permissions for traffic from Azure Firewall and whether you need to manage access to FTP Passive (unsupported if Azure Firewall has multiple IP addresses assigned). Microsoft ha comunque in roadmap la possibilità di fare configurazioni SNAT specificando l’indirizzo IP Pubblico da utilizzare.

A subnet can then be configured by specifying which NAT Gateway resource to use. When configuration is complete, all outbound network flows (UDP and TCP) from any virtual machine attested on that subnet, will use the Public IP (standard SKU), the Public IP Prefix or a combination of these. The same NAT Gateway resource can be used by multiple subnets, purché appartenenti alla stessa Virtual Network.

Virtual Network NAT is compatible with the following resources, having Standard SKUs:

Conclusions

To govern which IP addresses are used by systems in Azure to communicate externally there are several possibilities, each with its own characteristics. If you are adopting the Hub-spoke network topology with an Azure Firewall in the Hub network, control is guaranteed by design. A great solution in the absence of Azure Firewall or other Network Virtual Appliances is the adoption of the methodology Virtual Network NAT recently introduced.

]]>25774Azure IaaS and Azure Stack: announcements and updates (May 2020 – Weeks: 19 and 20)https://francescomolfese.it/en/2020/05/azure-iaas-and-azure-stack-announcements-and-updates-2020-weeks-19-20/
Mon, 18 May 2020 16:42:10 +0000https://francescomolfese.it/?p=26560-enThis series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks. Azure Compute New Azure VMware Solution in preview Azure VMware Solution empowers customers to seamlessly extend or migrate their existing on-premises VMware applications to […]

Azure

Compute

New Azure VMware Solution in preview

Azure VMware Solution empowers customers to seamlessly extend or migrate their existing on-premises VMware applications to Azure without the cost, effort or risk of re-architecting applications or retooling operations. Preview of the new solution is initially available in US East and West Europe Azure regions. The new Azure VMware Solution is expected to be generally available in the second half of 2020 and at that time, availability will be extended across more regions.

The new Azure VMware Solution is:

First Party Microsoft Azure service, endorsed by VMware. The new release of Azure VMware Solution is built on Microsoft Azure without the use of a third-party technology. The solution is also cloud verified by VMware and leverages components of the VMware Cloud Foundation framework including vSphere, vCenter, NSX-T, vSAN and HCX.

Seamless integrated Azure experience. In the new solution Microsoft has rearchitected the Software Defined Datacenter (SDDC) layer that underpins the Private Cloud, ensuring a truly seamless Azure experience for customers.

VMware HCX Enterprise now available. The new Azure VMware Solution includes HCX Enterprise edition as an option. With additional features from HCX Enterprise, customers can further simplify their migration efforts to Azure including support for bulk live migrations.

Leverage pricing benefits for Microsoft workloads. Azure VMware Solutions supports the Azure Hybrid Benefit and Azure VMware Solution customers are also eligible for three years of free Extended Security Updates on 2008 versions of Windows Server and SQL Server.

New cloud regions in Italy, New Zealand and Poland

Microsoft announced plans for new cloud datacenter regions in three countries: Italy, New Zealand and Poland. In Italy, Microsoft is building a new datacenter region in Milan, which will provide access to Azure, Microsoft 365/Office 365 and Dynamics 365 and the Power Platform set of tools.

Virtual machine (VM)-level disk bursting

Virtual machine-level disk bursting is a new feature that allows your virtual machine to burst its disk IO and MiB/s throughput performance for a short time daily to handle unforeseen spikey disk traffic smoothly and process batched jobs with speed. The feature is now enabled on all Azure Lsv2-series virtual machines, with support for more virtual machine types and families to come soon. This feature doesn’t cost anything extra and comes enabled by default.

General availability of Azure Spot Virtual Machines

Azure Spot VMs provide access to unused Azure compute capacity at deep discounts. Spot pricing is available on single VMs in addition to VM scale sets (VMSS). This enables you to deploy a broader variety of workloads on Azure while enjoying access to discounted pricing compared to pay-as-you-go rates. Spot VMs offer the same characteristics as a pay-as-you-go virtual machine, the differences being pricing and evictions. Spot VMs can be evicted at any time if Azure needs capacity.

Storage

Azure Blob versioning public preview

Applications and users create, update, and delete data in Azure Blob storage continuously. A common requirement is the ability to manage and access both current and historical versions of the data. As the next step to enhance data management and protection, the Blob storage versioning preview is available. Azure Blob Versioning automatically maintains previous versions of an object and identifies them with version IDs. You can list both the current blob and previous versions using version ID timestamps. You can also access and restore previous versions as the most recent version of your data if it was erroneously modified or deleted by an application or other users.

Blob Index for Azure Storage in preview

Blob Index, a managed secondary index, allowing you to store multi-dimensional object attributes to describe your data objects for Azure Blob storage. It is now available in preview. Built on top of blob storage, Blob Index offers consistent reliability, availability, and performance for all your workloads. Blob Index provides native object management and filtering capabilities, which allows you to categorize and find data based on attribute tags set on the data.

Asynchronously replicating the data to another region within the same geo into a single zone (like LRS today) protecting from a regional outage.

When using GZRS, you can continue to read and write the data even if one of the availability zones in the primary region is unavailable. In the event of a regional failure you can also use read-access geo-zone-redundant storage (RA-GZRS) to continue having read access to your data or execute account failover to also restore write accessibility. GZRS provides a great balance of high performance, high availability and disaster recovery and is beneficial when building highly available applications/services in Azure.

Azure File Sync is removing support for TLS 1.0 and 1.1

Azure File Sync service will remove support for TLS 1.0 and 1.1 in August 2020.

Networking

Azure Virtual Network NAT in Azure Government and Azure China

Azure Virtual Network NAT (network address translation) is now generally available in the Azure Government and Azure China regions. NAT simplifies outbound-only internet connectivity for virtual networks and can be configured for one or more subnets of a virtual network.

Rules Engine on Azure Front Door Service brings your specific routing needs to the forefront of its application delivery experience, giving you more control over how you define and enforce what content gets served from where. Rules Engine empowers you to modify request and response headers, or dynamically override your existing route behavior based on incoming requests.

Private Link is now available on Event Grid

Azure Event Grid now has Private Link integration for custom topics and event domains, generally available in all Azure regions, allowing virtual network resources within their production workloads to communicate directly to their Event Grid topics without accessing the public internet. This enables enterprise workloads to take advantage of event-driven architectures securely for mission-critical workloads that require network isolation.

Azure Stack

Azure Stack Hub

Azure App Service and Azure Functions on Azure Stack Hub update available

A major update to Azure App Service on Azure Stack Hub is now available. The update build number is 87.0.2.10. All fixes and updates are detailed in the release notes.

This release updates the resource provider and brings new key capabilities and fixes:

]]>26560Azure Monitor: how to enable the monitor service for virtual machine through Azure Policyhttps://francescomolfese.it/en/2020/05/azure-monitor-come-abilitare-il-servizio-di-monitor-delle-macchine-virtuali-tramite-azure-policy/
Mon, 11 May 2020 16:22:39 +0000https://www.cloudcommunity.it/?p=25739-enThe service that allows you to monitor virtual machines has been made available in Azure Monitor, called Azure Monitor for VMs. This service allows you to analyze system performance data and makes a map that identifies all dependencies of virtual machines and their processes. The recommended method […]

]]>The service that allows you to monitor virtual machines has been made available in Azure Monitor, called Azure Monitor for VMs. This service allows you to analyze system performance data and makes a map that identifies all dependencies of virtual machines and their processes. The recommended way to enable this solution for different systems is through Azure Policy adoption. This article describes the steps to take to activate it using this method, riprendendo vari concetti relativi alla governance di Azure.

Key Features of Azure Monitor for VMs

Azure Monitor for VMscan be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers) and includes the following areas:

Maps: generates a map with the interconnections between the various components that reside on different systems. Maps show how VMs and processes interact with each other and can identify dependencies on third-party services. The solution also allows you to check for connection errors, count connections in real time, i byte di rete inviati e ricevuti dai processi e le latenze riscontrare a livello di servizio.

Enabling through Azure Policy

The Azure Policy allow to apply and force compliance criteria and related remediation actions on a large scale. To enable this feature automatically on virtual machines in your Azure environment and achieve a high level of compliance, it is recommended that you use Azure Policies. Using Azure Policy, you can:

The Initiatives, which are a set of multiple Azure Policy, can be assigned at the Resource Group level, Subscription or Management Group. Si ha inoltre la possibilità di escludere determinate risorse dall’applicazione delle policy.

In this regard, the policies for enabling Azure Monitor for VMs are grouped into a single "initiative", "Enable Azure Monitor for VMs" that includes the following policies:

An effective method to make these data easily accessible and to analyze them in a simple way is the use of Workbooks, interactive documents that allow you to better interpret information and do in-depth analysis. In this document of Microsoft you can consult the list of related Workbooks included in Azure Monitor for VMs e come crearne dei propri personalizzati.

Conclusions

This article demonstrates how you can enable the solution Azure Monitor for VMs thanks to the adoption of the Azure Policy in a simple way, fast and effective. The solution provides very useful information that typically needs to be collected on different systems in your environment. Increasing the complexity and amount of services on Azure makes it essential to adopt tools like Azure Policy, to have effective governance policies. In addition, with the introduction of Azure Arc it will be possible to extend these Azure management and governance practices to different environments, facilitando in questo modo l’implementazione di funzionalità presenti in Azure su tutti i componenti dell’infrastruttura.

]]>25739Azure IaaS and Azure Stack: announcements and updates (May 2020 – Weeks: 17 and 18)https://francescomolfese.it/en/2020/05/azure-iaas-and-azure-stack-announcements-and-updates-2020-weeks-17-18/
Mon, 04 May 2020 13:39:33 +0000https://francescomolfese.it/?p=26533-enThis series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks. Azure Compute Maintenance control for platform updates The maintenance control feature for Azure Virtual Machines platform updates is now generally available for Azure Dedicated […]

Azure

Compute

Maintenance control for platform updates

The maintenance control feature for Azure Virtual Machines platform updates is now generally available for Azure Dedicated Hosts and isolated virtual machines (VMs). This feature gives you more control over platform maintenance when dealing with highly sensitive workloads. Use this feature to control all host updates, including rebootless updates, within a 35-day window. The ability to control the maintenance window is particularly useful when you deploy workloads that are extremely sensitive to interruptions running on an Azure Dedicated Host or an isolated VM where the underlying physical server runs a single customer’s workload. This feature is not supported for VMs deployed in hosts shared with other customers.

New DCsv2-series virtual machines are available

You can develop confidential applications that protect data while it’s being processed in the CPU with new DCsv2-series virtual machines (VMs), powered by Intel SGX. Traditionally, applications are protected while at rest and in transit. Now, you can deliver applications that protect data while in use. This enables a new set of scenarios like multiparty sharing, where it’s possible to combine data from multiple companies to run machine learning models without the companies getting access to each other’s data.

Windows Server containers in AKS now generally available

Windows Server containers in Azure Kubernetes Service (AKS) are now generally available. You can take advantage of this new feature to run Linux and Windows workloads side-by-side in a single cluster using the same tools. Create/upgrade/scale Windows node pools in AKS through the standard tools (portal/CLI) and Azure will help manage the health of the cluster.

Azure Migrate now available in Azure Government

Microsoft’s service for datacenter migration, Azure Migrate, is now available in Azure Government, unlocking the whole range of functionality for government customers. Azure Migrate V2 for Azure Government includes a one-stop shop for discovery, assessment, and migration of largescale datacenters.

Storage

Enhanced features in Azure Archive Storage

Three new feature enhancements for Azure Block Blob storage and Azure Archive storage are now generally available, making the service faster, simpler, and more capable.

Priority retrieval from Azure Archive. High rehydrate-priority fulfills the need for emergency data rehydrate from archive, with retrievals for blobs of a few GB typically taking less than one hour.

CopyBlob enhanced capabilities. The CopyBlob API supports the archive access tier, allowing you to copy data into and out of the archive access tier within the same storage account. It also includes support for the other two new features—priority retrieval and direct to access tier of your choice.

Azure Kubernetes Service (AKS) Private Link is generally available. You can use it to isolate your Kubernetes API server within your Azure virtual network, enabling fully private communication with the managed Kubernetes control plane hosted by AKS.

]]>26533Azure Management services: What's New in April 2020https://francescomolfese.it/en/2020/05/azure-management-services-whatsnew-2020-04/
Fri, 01 May 2020 08:13:12 +0000https://www.cloudcommunity.it/?p=25613-enStarting from this month, the series of articles released by our community about what's new in Azure management services is renewed. They will be articles, published on a monthly basis, dedicated exclusively to these topics to have a greater level of depth. Il management si riferisce alle attività e ai processi necessari per mantenere al meglio le […]

]]>Starting from this month, the series of articles released by our community about what's new in Azure management services is renewed. They will be articles, published on a monthly basis, dedicati esclusivamente a questi argomenti per aver un maggior livello di approfondimento.

Management refers to the tasks and processes required to better maintain business applications and the resources that support them. Azure offers many strongly related services and tools to provide a comprehensive management experience. These services are not exclusively for Azure resources, but they can potentially also be used for on-premises environments or other public clouds.

The following diagram shows the different areas related to management, which will be covered in this series of articles, per poter rimanere aggiornati su questi temi ed effettuare al meglio il deployment ed il mantenimento delle applicazioni e delle risorse.

Figure 1 – Management services in Azure overview

Monitor

Azure Monitor for containers: support for monitoring the use of GPUs on AKS GPU-enabled node pools

Azure Monitor for containers has introduced the ability to monitor the use of GPUs in Azure Kubernetes Service environments (AKS) with nodes that take advantage of GPUs. Al momento sono supportati come vendors NVIDIA e AMD.This monitoring functionality can be useful for:

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. The functionality is called Continuos Export and is described in detail in this article.

Workflow automation functionality

Azure Security Center includes the ability to have workflows to respond to security incidents. Such processes may include notifications, the initiation of a change management process and the application of specific remediation operations. The recommendation is to automate as many procedures as possible as automation can improve safety by ensuring that the process steps are performed quickly, consistent and according to predefined requirements. The Azure Security Center has been made available the functionality workflow automation. It can be used to automatically trigger the Logic Apps trigger based on security alerts and recommendations. In addition, l’esecuzione manuale di trigger è disponibile per gli alerts di security e per le raccomandazioni che hanno disponibile l’opzione di quick fix.

The Java Application Monitor is now made possible without making changes to the code, thanks to Azure Monitor Application Insights. In fact, the new Java codeless agent is available in preview. Among the libraries and frameworks supported by the new Java agent we find:

gRPC.

Netty/Webflux.

JMS.

Cassandra.

MongoDB.

Ritiro della solution di Office 365

For the solution “Azure Monitor Office 365 management (Preview)”, which allows you to send the logs of Office 365 to Azure Monitor Log Analytics is expected to be retired on 30 July 2020. This solution has been replaced by the solution of Office 365 present in Azure Sentinel and the solution “Azure AD reporting and monitoring”. La combinazione di queste due solution è in grado di offrire una miglior experience nella configurazione e nel relativo utilizzo.

Azure Monitor for Containers: support for Azure Red Hat OpenShift

Azure Monitor for Containers now also supports in preview the monitor for Kubernetes clusters hosted on Azure Red Hat OpenShift version 4.x & OpenShift versione 4.x.

Azure Monitor Logs: limitations on concurrent queries

To ensure a consistent experience for all users in consulting the Azure Monitor Logs, will be gradually implemented new limits of concurrency. This will help protect yourself from sending too many queries simultaneously, which could potentially overload system resources and compromise responsiveness. These limits are designed to intervene and limit only extreme usage scenarios, ma non dovrebbero essere rilevanti per l’uso tipico della soluzione.

Secure

Azure Security Center

Dynamic compliance packages available

The Azure Security Center regulatory compliance dashboard now includes thedynamic compliance packages to trace further industry and regulatory standards. The dynamic compliance packages can be added at subscription or management group level from the Security Center policy page. After entering a standard or benchmark, this is displayed in the regulatory compliance dashboard with all related data. Sarà inoltre disponibile per il download un report di riepilogo per tutti gli standard che sono stati integrati.

Identity recommendations included in Azure Security Center tier free

Security recommendations relating to identity and access have been included in the Azure Security Center tier free. This aspect allows to increase the functionality in the cloud security posture management area for free (CSPM). Before this change, these recommendations were only available in the Azure Security Center Standard tier. Here are some examples of recommendations for identity and access:

“Multifactor authentication should be enabled on accounts with owner permissions on your subscription.”

“A maximum of three owners should be designated for your subscription.”

“Deprecated accounts should be removed from your subscription.”

Protect

Azure Backup

Cross Region Restore (CRR) for Azure virtual machines

Thanks to the introduction of this new feature in Azure Backup, it introduces the ability to start restores at will in a secondary region, making them fully controlled by the customer. To do this, the Recovery Service vault that holds the backups must be set to geographic redundancy; in this way the backup data in the primary region are geographically replicated in the secondary region associated with Azure (paired region).

In Azure Backup, protection of SAP HANA DBs present in virtual machines is available in all major Azure regions. This functionality allows you to have SAP HANA database protection integrated and without having to provide a specific backup infrastructure. Questa soluzione risulta ufficialmente certificata da SAP.

Evaluation of Azure

To test for free and evaluate the services provided by Azure you can access this page.

]]>In this summary, that we report on a monthly basis, the main announcements regarding System Center are listed, accompagnati dai riferimenti necessari per poter effettuare ulteriori approfondimenti in merito.

System Center Operation Manager (SCOM)

The Update Rollup 9 and for SCOM 2016 introduces fixes to different issues, for more information on this, you can see the specific KB.

New dashboards for the Azure Management Pack

Using the Azure Management Pack (MP) you can monitor Azure subscriptions and resources from SCOM. SCOM's console natively shows alerts and resource status collectively in a single view, without providing the ability to apply filters of any kind. The introduction of the new dashboards resolves this limitation. These are the main benefits introduced:

]]>26547Azure IaaS and Azure Stack: announcements and updates (April 2020 – Weeks: 15 and 16)https://francescomolfese.it/en/2020/04/azure-iaas-and-azure-stack-announcements-and-updates-2020-weeks-15-16/
Mon, 20 Apr 2020 07:20:32 +0000https://francescomolfese.it/?p=26519-enThis series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks. Azure Compute SQL Server 2019 IaaS images with Linux distribution support now available Azure Marketplace pay-as-you-go images for SQL Server 2019 on RHEL 8.0, […]

Virtual machine scale sets now provide the ability to automatically deploy new versions of custom images to scale set virtual machines. Enabling automatic OS image upgrades on your scale set helps ease update management by safely and automatically upgrading the OS disk for all virtual machines in the scale set. This capability is now available in preview for custom images through Shared Image Gallery.

Automatic instance repairs for virtual machine scale sets

Virtual machine scale sets now provide the capability to automatically repair unhealthy instances based on application health status. Configure the scale set instances to emit application health by using either the application health extension or Azure Load Balancer health probes. After the automatic repairs policy is enabled, when an instance is found to be unhealthy, the scale set will automatically delete the unhealthy instance and create a new one to replace it.

Azure Migrate is now available in Azure Government

Azure Migrate provides a hub of Microsoft and partner tools to help customers meet their migration needs. Azure Migrate also offers scenarios for database migration, VDI migration, and web application migration, in addition to at-scale migration of VMware, Hyper-V, and physical servers to Azure. All Azure Migrate features, including agentless discovery and assessment, application inventory, and migration, are now available in Azure Government.

Azure File Sync v10 released

The Azure File Sync agent v10 release is being released to servers which are configured to automatically update when a new version becomes available.

Improvements and issues that are fixed:

Improved sync progress in the portal

Improved cloud tiering portal experience

Support for moving the Storage Sync Service and/or storage account to a different Azure Active Directory (AAD) tenant

Evaluation tool now identifies files or directories that end with a period

Miscellaneous performance and reliability improvements

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog by following the steps documented in KB4522409.

Networking

Azure Virtual Network supports reverse DNS lookup

Azure Virtual Network now supports reverse DNS lookup (PTR DNS queries) for virtual machine IP addresses by default. Use this to quickly look up name of the VM from its IP address. Previously, using DNS queries to look up the fully qualified domain name (FQDN) for a virtual machine from its IP address would result in an NXDOMAIN response. Now, instead of getting an NXDOMAIN, you’ll receive valid FQDN of the virtual machine to which the IP address belongs.